From support@us.external.hp.com Wed Mar 13 00:51:50 1996
Date: Wed, 13 Mar 1996 01:00:24 -0800
From: HPSL Mail Service
Reply to: support-feedback@us.external.hp.com
To: Damien Sorder
Subject: RE: send doc HPSBMP9503-003
--------
## Regarding your request:
Send Doc HPSBMP9503-003
The following are the results of your request from the HP SupportLine mail
service.
===============================================================================
Document Id: [HPSBMP9503-003]
Date Loaded: [03-20-95]
Description: Security Vulnerability (HPSBMP9503-003) in MPE/iX releases
===============================================================================
-------------------------------------------------------------------------
HEWLETT-PACKARD SECURITY BULLETIN: (MPE/iX) #00003, 20 March 95
-------------------------------------------------------------------------
The information in the following Security Bulletin should be acted
upon as soon as possible. Hewlett-Packard will not be liable for
any consequences to any customer resulting from customer's failure
to fully implement instructions in this Security Bulletin as soon
as possible.
_______________________________________________________________________
PROBLEM: Security vulnerability in the MPE/iX operating system
PLATFORM: HP3000 Series 900 systems running any release of MPE through and
including the Limited Release of MPE/iX 5.0 (X.50.20)
DAMAGE: Users can gain additional privileges and/or special capabilities
SOLUTION: Update all systems to the General Release of MPE/iX 5.0, or
Apply patch MPEHX26A (MPE/iX Release 4.0 B.40.00), or
patch MPEHX26B (Limited Release MPE/iX 5.0 X.50.20)
FIX: The problem is fixed in the General Release of MPE/iX 5.0 (C.50.00)
AVAILABILITY: The 5.0 General Release and all patches are available now.
_______________________________________________________________________
A. Nature of the problem
It has been found that HP 3000 systems running MPE/iX Release 4.0
(B.40.00), Release 4.5 (C.45.00), and the Limited Release of
MPE/iX 5.0 (X.50.20) have a vulnerability that can be exploited by
users to gain additional privileges and/or capabilities, but only if
the users are already logged on to the system. This problem does not
permit a user to gain additional privileges by accident. However, a
user can exploit this vulnerability to gain System Manager (SM)
capability.
B. Fixing the problem
Hewlett-Packard recommends that you update your HP 3000 Series 900
computer systems to the General Release of MPE/iX 5.0 (C.50.00), as
this problem is fixed in that release. Updating to the 5.0 General
Release is the easiest and safest way to get the fix for this security
problem. Customers with HP System Support contracts should have
already received their shipments of the General Release of MPE/iX 5.0
(C.50.00).
However, if you feel that you cannot update to the 5.0 General
Release at this time, the proper corrective measure depends on which
release of MPE/iX your HP 3000 system is running.
The vulnerability can be eliminated from Release 4.0 and the Limited
Release of MPE/iX 5.0 by applying a patch, MPEHX26A or MPEHX26B.
Release 4.5 (C.45.00) MUST be updated to the General Release of
MPE/iX 5.0 (C.50.00), as no patch will be created for Release 4.5.
No patches will be available for versions of MPE/iX prior to
Release 4.0. Instead, you must update to a supported release. HP
recommends that you update such systems to the General Release of
MPE/iX 5.0. If you update to one of the other supported releases,
you will have to follow the patch instructions described in the next
section of this bulletin.
C. How to Install the Patch (for MPE/iX 4.0 & Limited Release MPE/iX 5.0)
1. Determine which patch is appropriate for your operating system release:
MPEHX26A for Series 900, MPE/iX 4.0 (B.40.00)
MPEHX26B for Series 900, Limited Release MPE/iX 5.0 (X.50.20)
2. Obtaining the patch.
If you have an HP System Support contract, you should be receiving a
security notification packet that includes a FAX-back form for
ordering the patches that fix the problems described in the following
three Security Bulletins -- HPSBMP9503-001, HPSBMP9503-002, and
HPSBMP9503-003.
If you do not have an HP System Support contract, you can obtain the
same patches by ordering MPE/iX SECURITY PATCH, Product Number B5116AA.
This product is available at no charge. When ordering the product,
you need to know which MPE/iX release you are patching and on what
media you want the patch delivered. The following chart shows the
two product options:
Option Table for Product Number B5116AA
1600BPI 6250BPI
Tape Tape DDS
|---------|---------|---------|
B.40.00 | 240,AA1 | 240,AA2 | 240,AAH |
|---------|---------|---------|
X.50.20 | 250,AA1 | 250,AA2 | 250,AAH |
|---------|---------|---------|
Phone numbers to HP Direct and other HP Country Sales offices have
been included at the end of this bulletin for your convenience.
3. Apply the patch to your MPE/iX system.
Installation instructions are included with the MPE/iX SECURITY PATCH
product.
D. Impact of the patch and workaround
Application of the patch will eliminate the vulnerability.
E. Obtaining General Security Information
To subscribe to automatically receive future NEW HP Security
Bulletins from the HP SupportLine mail service via electronic
mail, send an email message to:
support@support.mayfield.hp.com (no Subject is required)
Multiple instructions are allowed in the TEXT PORTION OF THE
MESSAGE, here are some basic instructions you may want to use:
To add your name to the subscription list for new Security
Bulletins, send the following in the TEXT PORTION OF THE MESSAGE:
subscribe security_info
To retrieve the index of all HP Security Bulletins issued to date,
send the following in the TEXT PORTION OF THE MESSAGE:
send security_info_list
World Wide Web service for browsing of bulletins is available via
the HPSL URL:
http://support.mayfield.hp.com
Choose "Support news", then under Support news,
choose "Security Bulletins"
F. To report new security vulnerabilities, send email to
security-alert@hp.com
_______________________________________________________________________
United States Canada
Tel: 800-386-1117 Tel: 800-387-3154
Fax: 800-386-1118
Austria Netherlands
Tel: 43 222/250 00-200 Tel: 31 20-5476040
Fax: 43 222/250 00-311 Fax: 31 20-5477778
Belgium Norway
Tel: 32 2/778.33.99 Tel: 47 2 273 5767
Fax: 32 2/778.33.88 Fax: 47 2 273 5620
Czech Republic Poland
Tel: 42/2/4717230 Tel: 48/22/375085
Fax: 42/2/4717611 Fax: 48/22/374783
Denmark Portugal
Tel: 45 45 99 11 45 Tel: 351(1)301 7343
Fax: 45 45 82 11 46 Fax: 351(1)301 7568
Finland Russia
Tel: 358 0-8872 2000 Tel: 7095-923-5001
Fax: 358 0-8872 2002 Fax: 7095-230-2611
France Slovenia
Tel: 33(1)60 77 30 04 Tel: 386(61)159-3322
Fax: 33(1)69 91 86 79 Fax: 386(61)558-597
Germany Slovak Republic
Tel: 49 70 31/14-55 40 Tel: 42/7/765896
Fax: 49 70 31/14-10 80 Fax: 42/7/763408
Greece Spain
Tel: 30/1/6896411 Tel: 34(1)631 11 11
Fax: 30/1/6896512 Fax: 34(1)631 11 22
Hungary Sweden
Tel: 36/1/1420986 Tel: 46 8-750 22 10
Fax: 36/1/1223692 Fax: 46 8-793 90 50
Iceland Switzerland (French)
Tel: 354/1/671000 Tel: 41(22)780 44 65
Fax: 354/1/673031 Fax: 41(22)780 42 20
Ireland Switzerland (German)
Tel: 353/1/2844633 Tel: 41 1/735 72 70
Fax: 353/1/2844622 Fax: 41 1/735 77 11
Italy Turkey
Tel: Tel: 90-1-224 59 25
Fax: 39 2/75.30.645 Fax: 90-1-224 59 39
Mexico UK
Tel: (+52 5) 326-4684 Tel: 44-344-369231
Fax: 44 344-361014
European Headquarters & Middle East and
Multicountry Sales Region Afrika Operation
Tel: 41/22/780/8111 Tel: 41/22/780/4111
Fax: 41/22/780/8609 Fax: 41/22/780/4770
Australia Korea
Tel: (61-2)950-7491 Tel: (822)769-0612
Fax: (61-2)878-5596 Fax: (822)769-0523
Asia Pacific Headquarters Malaysia
Tel: (65) 290-6217 Tel: (60-3)295-2315
Fax: (65) 291-9697 Fax: (60-3)291-5495
Hong Kong Singapore
Tel: (852)599-7571 Tel: (65) 290-6005
Fax: (852)506-9261 Fax: (65) 296-9023
Japan Taiwan
Tel: (81-423)30-7888 Tel: (886-2)717-9620
Fax: (81-426)45-4312 Fax: (886-2)714-8793
Other Countries
Call your local HP Country Sales office or distributor
-----------------------------------------------------------------------------